Keeping your data, and your company, safe in the AI era

July 2nd, 2026
11 Min Read

Luke Peluso spent two decades in managed services, doing vendor due diligence for companies that handled sensitive data and couldn't afford to get it wrong. He knows what a customer roster contains. He knows what call recordings carry. He knows what happens when that information ends up somewhere it shouldn't.

That’s why, since coming to the trades two years ago to work with the team at Quality Service in South Carolina on navigating AI and other technology, he's been a little unsettled by how casually some contractors hand it over.

"We're stewards of our customers' data," Peluso, Quality Service’s technology manager, said. "And I think that's a responsibility the industry takes too lightly."

The rush to adopt AI tools is real and, Peluso said, mostly good. But the pace of adoption has outrun the thinking required to do it safely. Contractors are connecting third-party tools to their ServiceTitan databases, dropping customer records into consumer AI platforms and granting API permissions they don't fully understand — not out of negligence, but out of urgency. Nobody wants to be left behind.

That urgency makes this moment worth paying attention to.

Everybody's running in the same direction

Adam Leisring, ServiceTitan's Chief Information Security Officer, watches adoption patterns across a platform used by thousands of trades businesses. He sees the urgency up close. 

Leisring said businesses across virtually every industry are moving quickly to adopt AI, driven by both its promise and a growing concern about being left behind. While he believes the momentum is justified, many organizations are still trying to determine where the technology creates the most meaningful value and how to pursue it responsibly and securely. 

"There is a fear of missing out across all industries right now," Leisring said. "We all know that there's value there.”  The challenge, he said, is ensuring that the pursuit of innovation does not outpace security.

The barrier to connecting third-party tools to a platform like ServiceTitan has never been lower. API access, once the domain of enterprise IT teams, is now something anyone with some coding knowledge — and increasingly, people with none — can configure in an afternoon. "Vibe coding," as the practice of AI-assisted development has come to be known, has dropped the technical floor to nearly nothing.

That means changes that used to require an engineer, and the mistakes that can come with them, can be made by anyone.  

"In a few strokes of a keyboard, you could nuke your entire database," Peluso said.

That's not hypothetical. A company called PocketOS — the incident is public record — had its production database and backups deleted by an AI system given more access than anyone intended.

That could easily be a contracting business. 

‘Would you leave it at a bar?’

The most common mistake Peluso sees? When contractors set up API access for a third-party tool, the default instinct is to grant full permissions. Contractors want the integration to work, so they give read and write access to everything and move on.

What that means in practice is that a flashy new AI tool — a voice analysis vendor, a scheduling tool, a sentiment analysis platform — potentially has the same access to your ServiceTitan database as you do. Customer records. Payment history. Membership data. Payroll information.

"Would you have this on an Excel sheet and leave it at a bar?" Peluso said. "That's essentially what you're doing."

Leisring's advice is specific: scope your API access to only what the integration actually requires. If a vendor is providing call sentiment analysis, they need call data. If they're asking for full read/write access and can't explain why, that's a problem.

"Ask for clarity with regard to what data they actually need from ServiceTitan," Leisring said. "If they only need first name, last name and email, but what you'll find is they're pulling payroll information or bank account routing information, that would be a huge red flag."

The access itself is only part of the equation. Leisring said contractors should also evaluate whether the vendor has demonstrated a mature security program before entrusting them with sensitive business and customer data. Certifications such as SOC 2 and ISO 27001 can provide an important signal, and vendors that lack them should be prepared to answer detailed security questionnaires.

"When you trust these vendors with your data, it's imperative that we're ensuring that they are trustworthy," Leisring said.

Peluso tested this himself. A vendor surfaced on Facebook, offering voice analysis and revenue re-engagement tools for around $99 a month. When he went through the setup process, the vendor asked for full API permissions — not through ServiceTitan's marketplace registration process, but through a direct request for keys and access.

He asked why a read-only sentiment analysis tool needed write access.

"They said, 'Well, that's just our scope,'" Peluso said.

He walked away.

'Who's your support team?'

There's a version of this conversation that ends with a contractor deciding the answer to vendor risk is to build their own tools.

It's a tempting conclusion. Vibe coding has made custom software feel accessible. A contractor with some technical curiosity and an AI assistant can stitch together automations, connect APIs, and produce something that looks, at least for a while, like a functioning system.

Peluso hears the argument regularly. His response is practical.

"If you're vibe coding, how are you going on vacation?" he said. "Where's your support team? Where's your DevOps team?"

Leisring sees the security dimension of the same problem. 

"The most likely threat is unintentional disclosure," Leisring said. "A person who is vibe coding that wasn't traditionally an engineer — they don't understand some of the foundational security components around safe storage of API keys.  From that perspective, there is heightened risk.”

The PocketOS case, involving a software for car rental businesses, is another potential concern. An AI system with unchecked write access deleted an entire production database and all the backups, in nine seconds, without asking permission. When asked why it had done so, it detailed the security protocols it had violated to do so. The data was recovered, according to PocketOS, but not before the company became a cautionary tale.

Peluso's framing for where custom builds make sense is narrow: companion tools, sidecars, something that helps but isn't load-bearing.

"Don't make it a line-of-business application that your business is going to rely on," he said. "Good software is expensive for a reason. There's a reason SaaS exists."

The free tools aren't free

And there’s another risk that doesn't involve APIs at all.

Contractors are dropping call transcripts, customer records, and operational data into consumer AI tools, looking for sentiment analysis, summaries, or business insights. The price is right. The results can be useful.

"If you're doing financing over the phone, if you're taking payments, ACH, credit cards — what are you giving away?" Peluso said.

The same scrutiny should be applied to third-party voice vendors, answering services, and any tool that ingests customer calls. Privacy policies that describe "industry best practices" without specifics are, in Peluso's words, not a thing. SOC 2 compliance, PCI certification, clear data retention policies — these are the questions worth asking before you hand a vendor your call recordings.

Where to start

For contractors without a dedicated information security team, which is most of them, the options aren't as limited as they might seem.

ServiceTitan's marketplace is Leisring's first recommendation. The vendors listed there have undergone a security review, which establishes a floor that a random Facebook vendor does not.

"I would encourage folks to start there as you contemplate integrations into ServiceTitan," Leisring said.

For contractors who have an outside IT provider or a managed services provider (MSP), Peluso says looping them in on vendor decisions is basic hygiene that most businesses skip.

For those evaluating vendors independently, the checklist is straightforward even if the work isn't: ask for SOC 2 or ISO 27001 certification, send a security questionnaire, check who owns the company and who their investors are, and get a non-disclosure agreement or business associates agreement in place before any data changes hands. Ask, specifically, what data the vendor needs and why.

Cyber insurance carriers, Peluso noted, often provide vendor assessment resources as part of their policies.

'Garbage in, garbage out'

There's a slower risk that sits underneath all of this, one that doesn't involve a breach or a deletion but compounds quietly over time.

Contractors rushing to adopt AI tools are often doing so on a foundation of messy data, including job types that haven't been standardized, equipment records where the manufacturer name appears 31 different ways (capitalized, misspelled, abbreviated), and pricebooks that haven't been cleaned up in years.

AI amplifies that mess.

At Quality Service, Peluso and the broader team spent roughly two quarters focused almost entirely on data normalization before layering AI tools on top.

"The velocity at which we were able to adopt Scheduling Pro, Dispatch Pro, and rapidly fix our pricebook because we had that base layer of clean data, it just..." Peluso paused. "Everything's so much cleaner. And it's exponential, where one thing's cleaner, so now it's allowing us to clean other things."

The payoff came after two quarters of unglamorous work. The temptation, always, is to skip it.

The #1 newsletter for the trades.

'Have a plan'

Peluso's advice to contractors considering AI tools comes from watching too many people do the opposite.

"Don't fall in love with the next sexy goldfish they put in front of you," he said. "Lay out a one-to-three-year roadmap. Have your priorities. Every decision you make — we need this voice agent — does it align with your 12-, 24-, 36-month plan? What are you trying to get out of it? What problem are you trying to solve? How much money are you trying to save?"

Leisring frames the same idea from a security perspective. The risk isn't that AI will harm the trades. The risk is that the rush to adopt it outpaces the thinking required to do it safely.

"Innovating securely is our motto here internally," Leisring said. "And I would just encourage our customers to do the same."


Five risks — and what to do about them

In the age of AI and automation, most contractors know one thing for certain: They don't want to be left behind. 

What's getting less attention is the data that changes hands in the process. Every third-party tool connected to your ServiceTitan account, every call transcript dropped into a consumer AI platform, every custom automation built without a security foundation — each one carries risk that's easy to miss.

ServiceTitan Chief Information Security Officer Adam Leisring and Quality Service Technology Manager Luke Peluso, who spent two decades in managed services before coming to the trades, sat down recently to talk through what contractors should be watching for. 

Their list is shorter than you might expect. 

1. Unsecured API keys: API keys are the passwords to your business data. Treat them that way. Don't paste them into chats, post them in public code repositories or write them on a whiteboard. Store them in a dedicated secrets management tool. If a key is compromised, anyone holding it has the same access to your ServiceTitan database that you do.

2. Overpermissioned access: When a vendor asks for full read/write API access, ask why. A call sentiment tool needs call data. A scheduling integration needs scheduling data. If the scope of access doesn't match the scope of the service, ask why. ServiceTitan's auditing tools let you verify what a connected vendor is actually pulling — use them.

3. Unvetted vendors: The AI tools appearing in contractor Facebook groups and trade forums have often been in business for months, not years. Before granting any vendor access to your data, ask for SOC 2 or ISO 27001 certification. Send a security questionnaire. Check who owns the company. Start with ServiceTitan's marketplace, where vendors have already undergone a security review. Your cyber insurance carrier may also provide vendor assessment resources — worth a call if you're unsure where to start.

4. Consumer AI tools ingesting customer data: Free versions of consumer AI tools often train on the data you submit. Call transcripts, customer records, and payment information fed into those platforms may not stay private. Before using any AI tool for operational data, read the privacy policy. "Industry best practices" without specifics is not a data protection policy.

5. Custom builds carrying operational weight: AI-assisted coding has made it easier than ever to build something that works — for now. The risk isn't in building companion tools or automations that help at the margins. The risk is in replacing proven, supported software with a custom system that has no backup strategy, no quality assurance process, and no support team. When it breaks at 7 a.m. on a Monday in July, the person who built it is also the person who has to fix it.

Related posts

Product Illustration
Product Illustration
Product Illustration